-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 7/2/2014 2:46 PM, Kali Tor wrote:
Hi,
If you are asking how to secure your box better, indeed the public IP address list of relays is often scanned and brute forced. That is why I recommend:
- if you run only Tor on that box is best, if not make sure
your apps are properly secured (mysql not listening on public IP if it's not a remote mysql server, strong passwords for mysql, ftp, etc.). - - make sure only ports used by Tor are open. There is no need for anything else. - - if you use ssh for administration that is fine, just change the port from 22 in /etc/ssh/sshd_config to some custom port, anything, like 2988 or whatever. - - permanently disabled plain password authentication or rhost authentication in sshd_config and only allow key-based authentication for better security and protection against weak password probing. - - do not allow any other users for SSH access.
Let me know if you have any other questions.
I have done all that, so covered on that aspect. Was wondering if disk encryption and use of something like TRESOR would be useful?
-kali- _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Full disk encryption on a Tor relay, if it's just a Tor relay it's overkill. It will just increase the HDD I/O rate and resource consumption.
Also, most important, if you use full disk encryption and your vm gets somehow rebooted (migrated to another cluster by your provider, update to the host OS or hardware, etc.) and you are not around to enter the passphrase for full disk encryption your operating system will not boot and cause you long downtime, until you are available to manually enter the passphrase. this can cause you to lose flags in the consensus, because of extended downtime.
Important to say that Tor does not have any files which need to encrypted. Tor, by design protects each relay by not knowing both the original source and the final destination of the traffic. It just has some cache of the consensus data, which anyone can publicly get from the Tor network without needing to break your box or hack your full disk encryption.
Only things which are secret are your onion keys, which give your relay's fingerprint. Make sure you back those up, in case you need to re-install this relay.
If you use that vm for something else too and you have some sensitive data there, it is always a good idea to encrypt everything... but in your scenario full disk encryption will not help since you are exposed to physical attacks (e.g. someone caching your files while your virtual machine is RUNNING, making full disk encryption useless).
- -- s7r PGP Fingerprint: 7C36 9232 5ABD FB0B 3021 03F1 837F A52C 8126 5B11